Semgrep MCP. Audit Code Security Findings from Chat.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Semgrep gives your AI agent read/write access to its SAST platform. Use it to audit code security findings, update triage statuses on vulnerabilities, and enforce custom semantic rules across your entire codebase.
You can pull detailed flaw reports, check compliance metrics, or create new organizational rules without leaving your chat window.
What your AI agents can do
Create rule
Deploys a new, custom semantic security rule across your enterprise codebases.
Delete rule
Removes an existing custom Semgrep security rule from the deployed environment.
Get finding details
Retrieves precise information on a single flaw, including suggested fixes and associated CVE links.
Retrieves the slugs for every monitored deployment, defining the scope for subsequent actions.
Gathers a list of static analysis flaws across an entire deployment, showing severity and file location.
Pulls detailed information on a single flaw, including suggested fixes and CVE data.
Changes the state of a reported bug (e.g., false positive or fixed) directly in Semgrep.
Allows the agent to write and deploy new semantic rules to catch specific bad coding patterns organization-wide.
Generates executive summaries of AppSec performance, like fix rates and time-to-resolve data.
Ask AI about this MCP
Supported MCP Clients
OAuth 2.0 Compatible Gemini Waiting for input…
Semgrep MCP Server: 10 Tools for Code Security Management
These tools let you interact with Semgrep's SAST platform directly. You can list findings, manage rules, check metrics, and update vulnerability statuses via your AI agent.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using Semgrep on Vinkius019d7605create rule
Deploys a new, custom semantic security rule across your enterprise codebases.
019d7605delete rule
Removes an existing custom Semgrep security rule from the deployed environment.
019d7605get finding details
Retrieves precise information on a single flaw, including suggested fixes and associated CVE links.
019d7605get metrics
Pulls AppSec performance statistics and compliance data for executive reporting.
019d7605get project
Searches for a specific Semgrep project by its exact repository name.
019d7605list deployments
Lists all defined organizational deployments, which are required to scope most other API operations.
019d7605list findings
Fetches a summary of static analysis security findings (severity and file/line number) for a deployment.
019d7605list projects
Lists all monitored Semgrep projects, which track security scan outputs over time in a specific deployment.
019d7605list rules
Lists every deployed semantic rule by name and status across the organization.
019d7605update finding status
Changes the formal state of a Semgrep finding to 'fixed', 'false_positive', or 'ignored'.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Semgrep, then connect any of our 4,800+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,800+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Semgrep. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Triage shouldn't require jumping between three different tabs.
Today, when a developer finds a vulnerability, they are forced into a painful cycle. They see the warning in their IDE, copy the finding ID, switch to the Semgrep dashboard, search for that ID, read the details, determine if it's a false positive, and then manually click the status change button. This takes minutes per flaw.
With this MCP server, your agent handles the entire sequence in one prompt. Give it the flaw ID; let it run `get_finding_details`. Then, tell it to mark it as 'false_positive' using `update_finding_status`. The whole process is automated and documented—you get the answer without leaving chat.
Semgrep MCP Server: Enforcing rules via API.
Manually updating security policy means writing a rule definition in YAML, uploading it to the platform, and then waiting for it to propagate across all monitored deployments. This is slow, and human error is common.
Now, your agent deploys new controls instantly. You can ask it to write and enforce a complex semantic pattern using `create_rule`—the code changes live, immediately securing the codebase without ever touching the dashboard.
What you can do with this MCP connector
Look, you don't wanna jump between your chat window and the Semgrep dashboard just to check on some security findings. This MCP Server gives your AI client direct read/write access to the SAST platform. You can audit code vulnerabilities, manage custom rules, and update triage statuses—all without leaving your agent.
To Start: First, you'll need to scope things out. You can run list_deployments to see every monitored deployment slug; this defines where all the subsequent actions take place. Then, use list_projects or get_project to pull a list of every tracked Semgrep project within that specific environment.
Finding Flaws: Once you're scoped in, getting an overview is easy. Run list_findings to fetch a summary of static analysis security findings for a deployment, showing the severity and file/line number immediately. If you need deep forensic data on one flaw, call get_finding_details; this pulls precise info, suggested fixes, and associated CVE links.
Handling Vulnerabilities: When your agent finds a bug, it can take action right there. Use update_finding_status to change the formal state of any reported finding—you'll tell it if it's 'fixed', marked as a 'false_positive', or simply 'ignored'.
Building Custom Rules: Need to catch a specific bad pattern that Semgrep missed? You can use create_rule to write and deploy brand new, custom semantic security rules across your entire codebase. If a rule is no good anymore, you'll run delete_rule to remove it from the deployed environment. To see what rules are already live, just ask for list_rules, which lists every deployed semantic rule by name and status.
Reporting & Auditing: For executive reports or overall health checks, pull AppSec performance statistics using get_metrics. This delivers compliance data and fix rates. You can also manage the scope of your work by listing all defined organizational deployments with list_deployments, which is required for almost every other API call.
Tying It Together: Your agent handles the flow: it lists projects, gets a summary list of findings, pulls detailed info on the worst offenders, and then updates their status or deploys a new rule to prevent them from happening again. You've got total control over your security posture right in the chat.
019d7605-b00e-71f5-ab3f-aa8a74304cf7 
How Semgrep MCP Works
- 1 Enable the Semgrep MCP server in your agent's environment.
- 2 Supply a standard API Token from your Semgrep Dashboard settings to authenticate access.
- 3 Run a command through your AI client (e.g., 'List all critical findings for staging') to initiate the security audit.
The bottom line is, it lets your agent talk directly to Semgrep's backend instead of relying on web UI clicks.
Who Is Semgrep MCP For?
Security Engineers and DevOps staff need this. If you spend more time navigating dashboards than fixing code, this tool saves cycles. It’s for people who get paid to find flaws before the product ships.
Using list_rules and create_rule, they deploy custom checks and audit existing rule sets across multiple deployments.
They use get_metrics to pull fix rate data and compliance scores directly into a report, bypassing the dashboard export process.
They use list_projects and list_findings to map out which repositories have high-risk findings blocking major feature releases.
What Changes When You Connect
- Automate findings triage. Instead of manually logging into Semgrep to change a status, use
update_finding_statusto tell your agent to mark an issue as 'false_positive' or 'fixed'. - Deploy rules at speed. When you find a new vulnerability pattern, the agent can write and deploy it instantly using
create_rule, enforcing security without developer overhead. - Get deep context fast. The
get_finding_detailstool pulls more than just an error message; it gives CVE links and suggested semantic fixes for immediate use. - Audit coverage scope. Use
list_deploymentsto see every environment you manage, making sure no production pipeline is blind to new security rules. - Measure compliance without exports. The
get_metricstool streams fix rates and time-to-resolve data directly into your chat summary.
Real-World Use Cases
The blocker PR review
A developer submits a PR, but the CI fails due to an unparameterized SQL query. They tell their agent: 'What is blocking this merge?' The agent runs list_findings scoped to that repo and uses get_finding_details on the top flaw, explaining exactly which line needs fixing and generating the patch.
Clearing up old findings
A security engineer knows a finding flagged six months ago is now obsolete due to architectural changes. They instruct their agent to run update_finding_status on the specific flaw ID, removing it from the active compliance queue forever.
Compliance reporting for execs
DevOps needs a quick health check before the board meeting. They ask their agent to pull metrics via get_metrics. The agent returns a summary showing the overall Fix Rate (e.g., 83%) and average time-to-resolve, perfect for pasting into a presentation.
Enforcing new standards
A team discovers that hardcoding AWS keys is still happening in legacy services. The architect uses list_rules to see existing policies, then runs create_rule to deploy a new rule blocking any literal string matching 'AWS_ACCESS_KEY'.
The Tradeoffs
Ignoring scope
Running a generic scan request and getting 5,000 findings without knowing which environment they apply to. You waste time filtering through old or irrelevant results.
→
Always start by running list_deployments to identify the target slug, then use that slug when calling any tool like list_findings.
Manual status updates
When a bug is fixed, having a developer manually change the finding status in the Semgrep UI. This creates context switching and slow feedback loops.
→
The agent handles this: simply call update_finding_status with 'fixed' or 'false_positive'. The action completes instantly via chat.
Treating rules as static
Assuming that a security rule written last month still covers the latest framework update. Policies drift, and old rules become irrelevant.
→
Use list_rules to audit what's active, and then use delete_rule when a pattern is no longer relevant or covered by a better control.
When It Fits, When It Doesn't
You should use this if your primary bottleneck is the speed of security remediation—specifically, if you spend time jumping between Semgrep's UI, GitHub, and Slack to triage vulnerabilities. It’s ideal when you need your agent to act as a 'security middleman,' reading data from Semgrep and pushing status changes back into the system.
Don't use this if all you want is a simple list of repositories. For that, list_projects works fine on its own. But if you need context—like knowing why those projects are flagged or what specific fix to apply—you must utilize get_finding_details. If your compliance needs only involve viewing metrics without any action (read-only), the get_metrics tool is sufficient, and you won't risk triggering unintended changes by using write tools like create_rule.
Common Questions About Semgrep MCP
How do I find out which environments Semgrep is monitoring? +
Run list_deployments. This tool provides the deployment slug identifier, which you then need to scope all other operations (like fetching findings) against.
Can I update a finding status without knowing the flaw ID? +
No. You must first use list_findings to get the relevant snippet details and identify the specific flaw, which then gives you the necessary ID for update_finding_status.
What if I need a new security rule? Should I use `create_rule`? +
Yes. Use create_rule. This tool lets your agent write and deploy custom semantic rules, which is the correct way to enforce brand-new corporate standards.
How do I check overall security performance metrics? +
Use get_metrics. This pulls AppSec stats like Fix Rate and time-to-resolve data, giving you an executive summary without needing to dig through raw findings.
When I use `get_finding_details`, what specific information do I get about a vulnerability? +
It gives you precise context, not just severity. You retrieve the exact malicious code block, suggested semantic fixes, and links to CVE data if it's an SCA supply chain issue.
I need to check which repositories are covered by Semgrep; how do I use `list_projects`? +
This tool lists every project (repository) currently monitored within a specific deployment. You use this list to define the precise scope for any subsequent finding or rule search.
If a custom security pattern is obsolete, how do I remove it using `delete_rule`? +
The delete_rule function removes a custom semantic rule from your deployment. It's the direct way to clean up old or unnecessary anti-patterns from the system.
My deployed rules fail; what should I check when running `list_rules`? +
Verify that the YAML definitions are structurally sound and that the rule targets the correct file paths. The output helps you confirm if the pattern exists within any monitored codebase.
Can the AI resolve or close findings in Semgrep natively? +
Yes. This server supports mutable actions. By invoking update_finding_status, your AI agent can shift a specific semantic flaw to 'mitigated', 'fixed', 'ignored', or 'false_positive' updating the registry in real-time.
How can I deploy a new custom SAST rule via chat? +
Simply ask the LLM: 'Draft a semantic grep rule to ban hardcoded API keys in Python and deploy it'. The agent will natively format the JSON structure required and call create_rule, sending it directly to all repositories.
Do I need to supply a 'Deployment Slug' for every request? +
Most API queries require the deployment context. To ensure smooth interactions, just tell the agent your organization slug once (or let it query list_deployments to fetch the default one). The agent will remember it for the rest of the conversation loop.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.